0day DoS: Mikrotik Server side DoS attack

After exploring the winbox clientserver protocol, i wanted to find some ways to get rid of winbox service and winbox client…
This finding, has to do only with the mikrotik router, who has winbox service running (on port 8291 or in any other port)
On my try to make a test on the server, in order to cause a lot of traffic, i saw the service being unstable, causing various probs to whole router. The minimum prob was the 100% cpu load, but there are various probs depending on hardware and routeros version. The exploit’s logic is very simple, and the winbox protocol analysis is simple too.So it made me identify that vulnerability very easy. The vulnerability found while trying to download a DLL/plugin file from mikrotik router (just like winbox client does) and choose a big file, and request the 1st part of it many times.. That is what causes the DoS. The only file needed here is the .py script, and it is tested on python 2.4 and 2.7 versions.

More details, download and usage, are below.. :

Vulnerability Description ===========================
The denial of service, happens on mikrotik router’s winbox service when
the attacker is requesting continuesly a part of a .dll/plugin file, so the service
becomes unstable causing every remote clients (with winbox) to disconnect
and denies to accept any further connections. That happens for about 5 minutes. After
the 5 minutes, winbox is stable again, being able to accept new connections.
If you send the malicious packet in a loop (requesting part of a file right after
the service becoming available again) then you result in a 100% denial of winbox service.
While the winbox service is unstable and in a denial to serve state, it raises router’s CPU 100%
and other actions. The “other actions” depends on the router version and on the hardware.
For example on Mikrotik Router v3.30 there was a LAN corruption, BGP fail, whole router failure
=> Mikrotik Router v2.9.6 there was a BGP failure
=> Mikrotik Router v4.13 unstable wifi links
=> Mikrotik Router v5.14/5.15 rarely stacking
=>>> Behaviour may vary most times, but ALL will have CPU 100% . Most routers loose BGP after long time attack <<

The exploit =============
This is a vulnerability in winbox service, exploiting the fact that winbox lets you download files/plugins
that winbox client needs to control the server, and generally lets you gain basic infos about the service BEFORE
user login!
Sending requests specially crafted for the winbox service, can cause a 100% denial of winbox service (router side).
This script, offers you the possibility to download any of the dlls that can be downloaded from the router one-by-one
or alltogether! (look usage for more info) .. The file must be contained in the router’s dll index.
The dlls downloaded, are in the format of the winbox service.. Meaning that they are compressed with gzip and they
have 0xFFFF bytes every 0x101 bytes (the format that winbox client is expecting the files)
These DLLs can be used by the “Winbox remote code execution” exploit script 😉

Usage =======
Try running the script without arguments to see usage.. or
Use the script as described below: 1. You can download ALL the files of the router’s dll index using the following command:

python mkDl.py 10.0.0.1 * 1

the “1” in the end, is the speed.. “Speed” is a factor I added, so the script delays a bit while receiving
information from the server. It is a MUST for remote routers when they are in long distance (many hops) to use
a slower speed ( 9 for example ).
Also in the beginning of the dlls file list, script shows you the router’s version (provided by router’s index) 2. You can download a specific .dll file from the remote router.

python mkDl.py 10.67.162.1 roteros.dll 1

In this example i download roteros.dll (which is the biggest and main plugin) with a speed factor of 1 (very fast)
Because roteros and 1-2 other files are big, you have to request them in different part (parts of 64k each)
That is a restriction of winbox communication protocol.
If you don’t know which file to request, make a “*” request first (1st usage example), see the dlls list, and press ctrl-c
to stop the script. 3. You can cause a Denial Of Service to the remote router.. Means denial in winbox service or more (read above for more)

python mkDl.py 10.67.162.1 DoS

This command starts requesting from router’s winbox service the 1st part of roteros.dll looping the request
and causing DoS to the router. The script is requesting the file till the router stops responding to the port (8291).
Then it waits till the service is up again (using some exception handling), then it requests again till the remote service is down again etc etc… The requests lasts for about 2 seconds, and the router is not responding for about 5 minutes as far as i have seen from my tests in different routeros versions.

31 Responses to 0day DoS: Mikrotik Server side DoS attack

ErebusBat reported an error in python 2.7.1 on lion osx .. There was a weird behaviour in the DoS loop where there wasn’t flood with the “- Sending evil packet.. press CTRL-C to stop -” as expected and there was not DoS at all.. I’ll keep you updated when i check Lion myself 🙂
Btw works fine as tested on windows python 2.7 and backtrack 5..

i Have problem about this, can someone explain to me …
what should i do ..

Traceback (most recent call last):
File “mkDl.py”, line 225, in
s.connect((mikrotikIP, 8291))
File “C:Python27libsocket.py”, line 224, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed bec
ause connected host has failed to respond

@d4taps
you don’t need to.. they are the original DLLs as they are provided by mikrotik router v5.14.. If you wanna see them you have to remove the two 0xFF 0xFF bytes in every 0x101 bytes inside every DLL.. (that’s the format, that winbox wants to “see” the receiving file) if you see the script’s source you’ll find out.. 😉

I’ve solved the problem.the problem occurred because the script syntax belongs to python version2 but the python I installed is version3.so I convert it to version3 by using 2to3.py in python.
now i have another problem. when i run this:

no you can’t do it with this method.. and inside dll there is no info like that.. You can just grab the admin’s saved winbox passwords (if there are any) using the command execution exploit and a mac spoofing method BUT you must be in the same Lan as the victim OR you can social him, so you don’t need same lan and mac sppofing … 😛

thanks PoURaN for this great info i don’t think that i will find it any where and i have 3 questions :
1st how can i get the backup of mikrotik or the other info like user name isn’t the dll files that we downloaded contain all the infos?

2nd how do i use the dll files to extract the info on it like ppp and any others.

3rd.what mac do i have to spoof the admin pc lan or the mikrotik or any one on who connected to the mikrotic.

@hi
Hello, concerning your questions:
1) no you can’t.. and no the DLLs don’t contain any infos about users/backups.. they just contain functions in order to make winbox.exe work for the specific mikrotik version.
2) you can’t.. look 1) :p
3) mac spoofing can be done where you are in the same LAN with your victim (in this case your victim is the mikrotik admin).. search more about mac spoofing..

thanks PoURaN again for ur answering
you said “You can just grab the admin’s saved winbox passwords (if there are any) using the command execution exploit and a mac spoofing method ”
i know how to spoof the mac address but what do u mean about command execution exploit what is this and can u tell me in details because it’s almost a year and iam trying how to hack the mikrotik to get the user and pass 🙂

@hi
Hey man.. I was a bit busy that’s why I was late in reply.. So.. By saying remote code execution exploit, I mean this one.. http://www.133tsec.com/2012/04/27/0day-mikrotik-winbox-client-side-attack-a-remote-code-execution-exploit/
Watch and understand the video I made there.. To execute code to your victim, you have to do it 1) even by social.. (talk to him and ask him to connect to yor malicious mtik emulator) 2) by spoofing his router and force him to connect to you instead of his router (mac spoofing – same LAN)
For how to make a malicious emulator for mtik watch the vid of the exploit i told you earlier..
cya